Go to the table of contents Go to the previous page Go to the next page View or print as PDF
United States of America - State Privacy Regulations
Predefined Policies and Classifiers | Forcepoint DLP | 8.7.2
Policies for promoting compliance with various states' privacy regulations
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Alabama Information Protection
Alabama standard 681S2-00 requires that executive branch agencies, boards, and commissions shall identify Personally Identifiable Information (PII), evaluate the risk and impact of loss or unauthorized disclosure of PII, and implement PII confidentiality safeguards. The policy detects combinations of PII like social security and credit card numbers. Additional rules detect passwords. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Alaska Personal Information Protection Act
Alaska HB 65 of 2008 notifies consumers when a data breach concerning personal information has occurred. Personal information is defined to include unencrypted information on an individual, which consists of the individual's name and one or more of several other pieces of information, including social security number, driver's license number, account number, password, or other access codes. The policy detects combinations of full names with social security, driver's license, or credit card numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Arizona Data Breach Notification Law
Arizona SB 1338 of 2006 requires businesses to provide consumer notification of data breaches. It is applicable to any person that conducts business in Arizona and owns or licenses computerized data that includes personal information or maintains such data. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and Arizona driver's license numbers. The rules for this policy are:
*
*
Arkansas Personal Information Protection Act
Arkansas SB 1167 of 2005 requires organizations to protect personal information of Arkansas residents (including personal health information) and to inform Arkansas customers when their private information is disclosed during a security breach. The policy comprises rules that detect combinations of personally identifiable information with sensitive information such as protected health information, credit card numbers, or passwords. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
*
*
California Consumer Privacy Act (CCPA)
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Colorado Consumer Protection Act
Colorado HB 06-1119 of 2006 requires that an individual or commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware of a breach of the security of the system, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The individual or the commercial entity shall give notice as soon as possible to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
Connecticut Data Breach Notification Act
Connecticut SB 650 of 2006 requires that any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security, following the discovery of the breach, to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Delaware Data Breach Notification
Delaware HB 116 of 2005 requires that any person who conducts business in this State and who owns, licenses, or maintains computerized data that includes personal information shall provide notice of any breach of security, following determination of the breach of security, to any resident of this state whose personal information was breached or is reasonably believed to have been breached; unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
*
District of Columbia Security Breach Notification Act
District of Columbia CB 16-810, signed into law as the Consumer Personal Information Security Breach Notification Act in 2007, requires any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach. The notification shall be made n the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d) of this section, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Florida Information Protection Act
Florida SB 1524 of 2014 requires that a corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information shall provide notice to the department of any breach of security affecting 500 of more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules protect passwords. The rules for this policy are:
*
*
*
*
*
Georgia Personal Data Security Act
Georgia SB 230 of 2005 requires that in the vent of a breach of the security of the system, which system is maintained by a third-party agent for a covered entity, the third-party agent shall notify the covered entity of such breach as expeditiously as practicable but no later than 72 hours after the determination of such breach or reason to believe such breach has occurred. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords. The rules for this policy are:
*
*
*
*
*
*
*
*
Hawaii Security Breach of Personal Information
Hawaii SB 2290 of 2007 requires that any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Idaho Data Breach Notification
Idaho SB 1374 of 2006 requires a city, county, or stage agency, individual, or commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual, or commercial entity shall give notice as soon as possible to the affected Idaho resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Illinois Personal Information Protection Act
Illinois HB 1633 of 2006 requires data collectors to provide notification of a security breach after discovery, even if data has not been accessed by unauthorized persons. This state law affects all data collectors that own or license personal information (PI), or maintains computerized data that includes PI. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, state ID, and driver's license numbers. Additional rules detect passwords. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Indiana Disclosure of Security Breach law
Indiana SB 503 of 2006 requires that after discovering or being notified of a breach of the security of data, database owners shall disclose the breach to an Indiana resident whose: (1) unencrypted personal information was or may have been acquired by an unauthorized person; or (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key; if the database owners know, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Iowa Data Breach Notification Law
Iowa S.F. 2308 of 2008 requires that any person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security, following discovery of such breach of security, to any consumer whose personal information was included in the information that was breached. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Kansas Protection of Consumer Information
Kansas SB 196 requires that a person that conducts business in this state, or a government, governmental subdivision, or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision, or agency shall give notice as soon as possible to the affected Kansas resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Kentucky Data Breach Notification
Kentucky HB 232, signed into law in 2014, requires any person or business entity that conducts business in Kentucky to provide notification in case of an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information (PII) maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident. Upon notification or discovery of a breach of the security of the system, an information holder must notify any resident of Kentucky whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person. It is applicable to any person that conducts business in the state and owns or licenses computerized data or maintains such data. The policy detects combinations of PII like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Louisiana Data Breach Notification
Louisiana SB 205 of 2006 demands notification to any Louisiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Maine Data Breach Notification Law
Maine LD 1671 of 2006 requires that an information broker that maintains computerized data that includes personal information that becomes aware of a breach of the security of the system shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused, and shall give notice of a breach of the security of the system, following discovery or notification of the security breach, to a resident of this state whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Maryland Personal Information Protection Act
Maryland HB 208 of 2008 requires that a business that owns or licenses computerized data that includes personal information of an individual residing in the state, when it discovers or is notified of a breach of the security of a system, shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. It is applicable to any person that conducts business in the state and owns or licenses computerized data or maintains such data. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Massachusetts Protection of Personal Information
Massachusetts 201 CMR 17 requires that every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Michigan Identity Theft Protection Act
Michigan HB 4658 of 2007 requires, unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one ore more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach, shall provide a notice of the security breach to each resident of this state. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Minnesota Data Breach Notification
Minnesota HF 2121 of 2006 requires that any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
Mississippi Data Breach Notification
Mississippi HB 583 of 2010 requires that consumers are notified promptly if the security of their information has been compromised, and gives the public the right to freeze their credit files if they become a victim of identity theft. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Missouri Breach Notification Law
Missouri HB 62 of 2009 requires that any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
*
*
Montana Data Breach Notification Statute
Montana HB 732 of 2005 requires that any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system, following discovery or notification of the breach, to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Nebraska Notification of Data Security Breach Act
Nebraska LB 876, which was signed into law on April 13, 2006, requires that an individual or a commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident. Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Nevada Security of Personal Information
Nevada SB SB 347 of 2006 requires that data collectors that maintain records that contain personal information of a resident of this state shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
New Hampshire Notice of Security Breach
New Hampshire HB 1660 of 2007 requires businesses who own or license computerized data that includes personal information shall, when they become aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, businesses shall notify the affected individuals as soon as possible. Personal information is considered the customer's full name in combination with any of the following: social security number, driver's license number, or financial account information. The policy detects a combination of full names with social security, driver's license, or credit card numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
New Jersey Personal Information and Privacy Protection Act
New Jersey A 4001 requires that any business or public entity required under this section to disclose a breach of security of a customer's personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
New Mexico Data Breach Notification Act
New Mexico HB 15 of 2017 requires that any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
New York Data Security Act
New York A 4254 of 2005 provides that in the event of unauthorized access to "private information," defined as personal information in combination with a social security number, driver's license, or an account or credit card number, the business or state entity is required to notify affected customers and inform appropriate authorities. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
North Carolina Identity Theft Protection Act
North Carolina SB 1048 of 2005 requires that any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
North Dakota Data Breach Notification
North Dakota Data Breach Notification, amended in 2017 by HB 1088, requires any person that owns or licenses computerized data that includes personal information, to disclose any breach of the security system, following discovery or notification of the breach in the security of the data, to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Ohio Data Security Breach Notification Law
Ohio HB 104 of 2005 requires that any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes, or is reasonably believed will cause, a material risk of identity theft or other fraud to the resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Oklahoma Security Breach Notification Act
Oklahoma HB 2357 of 2006 requires that if you maintain, as part of a database, a consumer's name and other personal identification numbers (i.e., SSN, driver's license, credit card, or financial information with a personal security code) that such information must be encrypted or redacted so that in the event of a breach, such information cannot be obtained and used by a third party. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Oregon Consumer Identity Theft Protection Act
Oregon SB 583 of 2007 requires that a person that owns or licenses personal information that the person uses in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security to a) the consumer to whom the personal information pertains; b) the Attorney General, either in writing or electronically, if the number of consumers to whom the person must send the notice exceeds 250. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers.The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Pennsylvania Breach of Personal Information Notification Act
Pennsylvania SBG 712 of 2006 requires that an entity that maintains, stores, or manages computerized data that includes personal information shall provide notice of any breach of the security of the system, following discovery of the breach of the security of the system, to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Puerto Rico Data Breach Notification
The Puerto Rico Citizen Information of Data Banks Security Act, originally HB 1184, signed into law in 2005, requires that any entity that is the proprietor or custodian of a data bank for commercial use that includes personal information of citizens who reside in Puerto Rico must notify said citizens of any violation of the system's security when the data bank whose security has been violated contains all or part of the personal information file and the same is not protected by a cryptographic code, but only by a password. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Rhode Island Identity Theft Protection Act
Rhode Island HB 6191 of 2006 requires that any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
South Carolina Data Breach Notification
South Carolina SB 453 of 2008 requires that a person conducting business in this state, and owning or licensing computerized data or other data that includes personal identifying information, shall disclose a breach of the security of the system, following discovery or notification of the breach in the security of the data, to a resident of this State whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur, or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
South Dakota Medical Records Law
Section 44:73:09:03 of the Administrative Rules of South Dakota requires there shall be written policies and procedures to govern the administration and activities of the medical record service. They shall include policies and procedures pertaining to the confidentiality and safeguarding of medical records, the record content, continuity of a resident's medical records during subsequent admissions, requirements for completion of the record, and the entries to be made by various authorized personnel. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Tennessee Data Breach Notification
Tennessee HB 2170 of 2005 requires that any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
*
Texas Identity Theft Enforcement and Protection Act
Texas SB 122 of 2005 requires businesses to implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure of any sensitive personal information collected or maintained by the business in the regular course of business. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
Utah Protection of Personal Information Act
Utah SB 69 of 2007 requires that 1) any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business. 2) a person who owns or licenses computerized data that includes personal information concerning a Utah resident shall, when the person becomes aware of a breach of system security, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Vermont Security Breach Notice Act
Vermont S 284 of 2007 requires any data collector that owns or licenses computerized personally identifiable information that includes personal information concerning a consumer shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Virginia Data Breach Notification
Virginia SB 307 of 2008 requires that an individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee with information about any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonable believes the personal information was accessed and acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
Washington Data Breach Notification
Washington SB 6043 requires any person or entity who conducts business in the state, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any resident whose personal information was included in the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
West Virginia Consumer Credit and Protection Act
West Virginia SB 340 of 2008 requires that an individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system, following discovery or notification of the breach of the security of the system, to any resident of this state whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*
Wisconsin Data Breach Notification
Wisconsin SB 164, signed into law in 2006 as Wisconsin Notice of Unauthorized Acquisition of Personal Information, states that if an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity's possession has been acquired by a person whom the entity knows has not been authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
Wyoming Data Breach Notification
Wyoming Computer Security Breach related act, amended by SF 35 and 36 in 2015, requires that any person or business that conducts business in Wyoming and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system, following discovery or notification of the breach, to any resident of Wyoming whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
*
*
*
*
*
*
*
*

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.